Okay, I really want to understand how to make $_GET and $_POST more secure
because it means changing a fundamental way my scripts are now working.

So, it sounds like what I need to do in order to make form data more secure
is something like this...

$isAdmin = $_POST['isAdmin'];
$myName = $_POST['myName'];
$myPrefs = $_GET['myPrefs'];

Instead of this...


Is this correct?? Now, I can see how this will prevent a cracker from
flooding a script with invalid variables that are all extracted into local
vars, but, I don't see how this will prevent someone from hijacking the vars
and inserting their own data. Validating that kind of attack seems almost
impossible to do especially for things like forms that collect contact info.
I really don't want to have to validate every field for every legal
possibility (especially fields like Country).

I've read here that HTTP_REFERER is unreliable and can be easily spoofed,
but, is there a more reliable way to know where the $_POST and $_GET data is
coming from? Perhaps by IP of my server, or using $_SERVER['SERVER_NAME']?

Is there any superglobal variable that would be unique to my web server that
CANNOT be spoofed or easily changed by a cracker that I can use as a check
to be sure the data is being submitted from a form on my site on not from
someone else's site?

Thanks a lot, guys!


> From: [EMAIL PROTECTED] (Paul Nicholson)
> Organization: WebPower Design
> Newsgroups: php.general
> Date: Fri, 25 Oct 2002 13:06:10 -0400
> To: "Johnson, Kirk" <[EMAIL PROTECTED]>, PHP General
> Subject: Re: [PHP] extract($_POST)
> Hash: SHA1
> On Friday 25 October 2002 11:23 am, Johnson, Kirk wrote:
>>> And what should these precautions be?  If a malicious user can submit
>>> his own form and you are looking for a POST variable, how can you
>>> ensure that $admin came from your form and not that user's?
>> The problem is when a cracker uses form variables in an attempt to set the
>> values of "flag" variables kept only in the session, for example, $isAdmin.
>> As far as the form variables *you* put in your form, it doesn't matter
>> whether the user submits your form or a form they made themselves. Those
>> form variables are just data you are trying to collect.
>> With register_globals on, PHP takes *all* variables (GET, POST, COOKIE)
>> received from the client and assigns them to global variables. So if the
>> user posts a value for $isAdmin, she can give herself admin privileges.
>> The key is to retrieve *only* the form variables *you* put in the form from
>> the the $_POST array. So don't write a loop and grab *everything* from that
>> array.
>> Kirk
> Exactly! Not only should you retrieve *only* the vars you need from POST,
> you should also filter them to make sure they contain what you're looking
> for.....is_alpha($_POST['name']). And no, php doesn't have an 'is_alpha'
> function....I created that as part of a filtering class.
> ~Paul
> - -- 
> ~Paul Nicholson
> Design Specialist @ WebPower Design
> "The web....the way you want it!"
> "It said uses Windows 98 or better, so I loaded Linux!"
> Registered Linux User #183202 using Register Linux System # 81891
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> iD8DBQE9uXoKDyXNIUN3+UQRAkugAJ0aftPjxhmV0tSk125UZSTCuWp47QCfaKJ7
> z5+ja1P4NtWUwVMCMsFVt2M=
> =UG2o

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to